## 20160505 AK
----
[[ConvertingPgpKeyToCertificate/CZ|Ĩesky]] | '''english'''
----
== Creating a new X.509 certificate from your PGP key pair ==
This page complements http://wiki.cacert.org/ConvertingCertificateToPgp by describing the other way round.
The following tools are needed: [[http://gnupg.org/download/index.en.html|GnuPG]], [[http://manpages.ubuntu.com/manpages/natty/man1/openpgp2ssh.1.html|openpgp2ssh]] from the [[http://web.monkeysphere.info/|monkeysphere]] project and [[http://openssl.org/|openssl]].
/!\ The steps described were performed on a virtual machine running Ubuntu.
----
1. You already created a PGP key pair of RSA keys. Its secret key looks like this
{{{sec 2048R/059B4809 2011-10-29 [valid to: 2013-12-31]}}}<
><
>The PGP key ID is $KEYID (in this example 059B4809).
----
2.#2 openpgp2ssh works only if the secret key is not password-protected. So it might be necessary to remove the protection. The corresponding gpg command is:
{{{gpg --edit-key $KEYID}}} .<
><
>Then use the the {{{passwd}}} sub-command to remove the password.
----
3.#3 Now it's time to export the PGP key and hand it over to openpgp2ssh:
{{{gpg --export-secret-key $KEYID | openpgp2ssh $KEYID > id_rsa}}}<
><
>id_rsa's content should look like:
{{{
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
-----END RSA PRIVATE KEY-----
}}}
----
4.#4 Next a Certificate Signing Request (CSR) can be generated:
{{{openssl req -new -key id_rsa -out id_rsa.csr}}}<
><
>id_rsa.csr's content should look like:
{{{
-----BEGIN CERTIFICATE REQUEST-----
MIIC9jCCAd4CAQAwgZkxCzAJBgNVBAYTAkRFMRMwEQYDVQQIEwpTb21lLVN0YXRl[...]
-----END CERTIFICATE REQUEST-----
}}}
----
5.#5 Now you have a CSR. Login to the CAcert webpage -> "Client Certificates" -> "New" -> Choose the registered email address, mark "Show advanced options", copy the content from {{{id_rsa.csr}}} to the input field headed "Optional Client CSR, no information on the certificate will be used", push "Next".
----
6.#6 CAcert should notify you that the certificate can be retrieved.
----
7.#7 Copy the content from the certificate and from the file {{{id_rsa}}} into one file {{{email@address.pem}}}.
Its content should look like:
{{{
-----BEGIN CERTIFICATE-----
MIIFRjCCAy6gAwIBAgIDCuP8MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...]
-----END RSA PRIVATE KEY-----
}}}
----
8.#8 Finally create a PKCS#12 container:
{{{openssl pkcs12 -export -in email@address.pem -out email@address.pem.p12}}}
----
You may now import your key pair to your email client.
----
. CategoryStepByStep